PAOGA - Privacy & Trust in the Digital Age

September 23, 2011

Implementing PbD - Privacy by Design

The Canadian Government has long led the way regarding Privacy over Personal Information and this position is reinforced by the White Paper ‘Privacy by Design in Law, Policy and Practice’ published in August 2011 by Ann Cavoukian, Ph.D., the Information and Privacy Commissioner, Ontario, Canada.

The paper reflects and endorses what we at PAOGA have spent 6 years or more striving to embed in the processes used for communication and transactions between consumers, businesses and government to engender Privacy and Trust in the Digital Age to the benefit of all.

I have underlined too many sentences and assertions in this paper which echo our philosophy, strategy and objectives to extract here but, core to the vision of Privacy by Design (PbD) are:

The 7 Foundational Principles of Privacy by Design.

1. Proactive not Reactive; Preventative not Remedial

The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred — it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

PAOGA provides individuals and organisations with their personal digital ‘safe deposit box’. Only they have the key (PAOGA cannot access it) and, until they invite another individual or organisation to share their personal information "under their control, with their consent, for their benefit", it is completely private.

2. Privacy as the Default

We can all be certain of one thing — the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default.

PAOGA provides the highest levels of encryption and security by default. The user can, if they choose, reduce those levels dependent upon context and their relationship.

3. Privacy Embedded into Design

Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.

Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both.

Privacy provides confidence which underpins trust. Trust is good for business as well as consumers.

5. End-to-End Lifecycle Protection

Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved, from start to finish. This ensures that at the end of the process, all data are securely destroyed, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, lifecycle management of information, end-to-end.

PAOGA provides complete control over the personal and confidential information of the participants in a communication/transaction which only reveals relevant information and audit trail and can be subject to a time limit by the participants. Access permissions to relevant data or documents (one-time, scheduled or persistent) can be revoked by the owner.

6. Visibility and Transparency

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify.

For ‘legal certainty’ and evidential weight’ it is crucial to establish a ‘legal starting point’ for individuals and organisations. Similarly, identity, assertions and documents, can be verified and certified by appropriate Trusted Third Parties. Either party can revisit THE document, not a copy, and assurance that the ‘transaction container has not been tampered with, the signatures remain validated and the time stamp accurate’.

7. Respect for User Privacy

Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.

In the UK '80% of people are concerned about their personal information online' - Christopher Graham, Information Commissioner, January 2011 and 'Cyber crime costs UK plc £27 billion per annum' - Cabinet Office/Detica, September 2011.

The user, in their multiple roles as citizen, consumer, employee, patient etc., is the ‘common denominator’ in their relationships with other individuals and organisations, public and private. They are best placed to manage and update their personal information and to ‘share’ what is appropriate. This also shares the cost and regulatory risks of inaccurate data which is a threat to both individual and business.

The UK Cabinet Office Identity Assurance (IdA) program, in which individuals will have a choice of approved (public and private sector) identity providers, verification, certification and information storage services, marks a small but significant step towards Privacy by Design.

It is imperative that organisations (public and private) recognise this as a win-win proposition and embrace this initiative in their quest to reduce costs, improve efficiency, facilitate compliance, and establish trust.

Comments

Implementing PbD - Privacy by Design

The Canadian Government has long led the way regarding Privacy over Personal Information and this position is reinforced by the White Paper ‘Privacy by Design in Law, Policy and Practice’ published in August 2011 by Ann Cavoukian, Ph.D., the Information and Privacy Commissioner, Ontario, Canada.

The paper reflects and endorses what we at PAOGA have spent 6 years or more striving to embed in the processes used for communication and transactions between consumers, businesses and government to engender Privacy and Trust in the Digital Age to the benefit of all.

I have underlined too many sentences and assertions in this paper which echo our philosophy, strategy and objectives to extract here but, core to the vision of Privacy by Design (PbD) are:

The 7 Foundational Principles of Privacy by Design.

1. Proactive not Reactive; Preventative not Remedial

The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred — it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

PAOGA provides individuals and organisations with their personal digital ‘safe deposit box’. Only they have the key (PAOGA cannot access it) and, until they invite another individual or organisation to share their personal information "under their control, with their consent, for their benefit", it is completely private.

2. Privacy as the Default

We can all be certain of one thing — the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default.

PAOGA provides the highest levels of encryption and security by default. The user can, if they choose, reduce those levels dependent upon context and their relationship.

3. Privacy Embedded into Design

Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.

Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both.

Privacy provides confidence which underpins trust. Trust is good for business as well as consumers.

5. End-to-End Lifecycle Protection

Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved, from start to finish. This ensures that at the end of the process, all data are securely destroyed, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, lifecycle management of information, end-to-end.

PAOGA provides complete control over the personal and confidential information of the participants in a communication/transaction which only reveals relevant information and audit trail and can be subject to a time limit by the participants. Access permissions to relevant data or documents (one-time, scheduled or persistent) can be revoked by the owner.

6. Visibility and Transparency

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify.

For ‘legal certainty’ and evidential weight’ it is crucial to establish a ‘legal starting point’ for individuals and organisations. Similarly, identity, assertions and documents, can be verified and certified by appropriate Trusted Third Parties. Either party can revisit THE document, not a copy, and assurance that the ‘transaction container has not been tampered with, the signatures remain validated and the time stamp accurate’.

7. Respect for User Privacy

Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.

In the UK '80% of people are concerned about their personal information online' - Christopher Graham, Information Commissioner, January 2011 and 'Cyber crime costs UK plc £27 billion per annum' - Cabinet Office/Detica, September 2011.

The user, in their multiple roles as citizen, consumer, employee, patient etc., is the ‘common denominator’ in their relationships with other individuals and organisations, public and private. They are best placed to manage and update their personal information and to ‘share’ what is appropriate. This also shares the cost and regulatory risks of inaccurate data which is a threat to both individual and business.

The UK Cabinet Office Identity Assurance (IdA) program, in which individuals will have a choice of approved (public and private sector) identity providers, verification, certification and information storage services, marks a small but significant step towards Privacy by Design.

It is imperative that organisations (public and private) recognise this as a win-win proposition and embrace this initiative in their quest to reduce costs, improve efficiency, facilitate compliance, and establish trust.